home.social

#dependencyconfusion — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #dependencyconfusion, aggregated by home.social.

  1. AI-generated code could be a disaster for the software supply chain. Here’s why. - AI-generated computer code is rife with references to non-existent third-p... - arstechnica.com/security/2025/ #packageconfusion.packagehallucination #dependencyconfusion #supplychainattac #security #biz#ai

  2. Using dependabot to convert internal dependencies into public, attacker-controlled ones, using dependency-confusion. Wow, nice find!

    giraffesecurity.dev/posts/depe

    #DependencyConfusion #dependabot #vulnerability

  3. Backdoor in public repository used new form of attack to target big firms - Enlarge (credit: Getty Images)

    A backdoor that researchers fou... - arstechnica.com/?p=1853739 #dependencyconfusion #repositories #opensource #biz&it

  4. > Birsan began hunting for names of private internal packages that he could find in manifest files on GitHub repositories or in CDNs of prominent companies but did not exist in a public open-source repository.
    [ . . . ]
    > In some cases, as with PyPI packages, the researcher noticed that the package with the higher version would be prioritized regardless of wherever it was located.
    > Using this technique, Birsan executed a successful supply chain attack against Microsoft, Apple, PayPal, Shopify, Netflix, Tesla, Yelp, and Uber simply by publishing public packages using the same name as the company's internal ones.
    Wow.

    #SupplyChainAttack #DependencyConfusion
  5. This Week in Security: APT Targeting Researchers, and Someone Watching All the Cameras - Microsoft’s Patch Tuesday just passed, and it’s a humdinger. To add the cherry on top, two seperate ... - hackaday.com/2021/03/12/this-w #dependencyconfusion #hackadaycolumns #securityhacks #patchtuesday #exchange

  6. More top-tier companies targeted by new type of potentially serious attack - Enlarge (credit: Getty Images)
    A new type of supply chain attack unveiled last month is targeting... - arstechnica.com/?p=1747637 #dependencyconfusion #networkcompromise #supplychain #malware #biz&it #tech

  7. Ein Sicherheitsforscher demonstriert, wie er mit vergleichsweise wenig Aufwand seinen Fuß in Systeme von beispielsweise Apple, Netflix und Tesla setzen konnte.
    Sicherheitsforscher bricht über Open-Source-Repositories bei PayPal & Co. ein